CN105577606A

CN105577606A - Method and device for realizing register of authenticator

Info

Publication number: CN105577606A
Application number: CN201410529164.3A
Authority: CN
Inventors: 乐培玉
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2014-10-09
Filing date: 2014-10-09
Publication date: 2016-05-11
Anticipated expiration: 2034-10-09
Also published as: CN105577606B

Abstract

The invention relates to the communication technology field, and provides a method and a device for realizing register of an authenticator. The method is characterized in that register state query information transmitted by an authorized client can be received; the register state query information comprises authentication information of a first user on a server; according to the authentication information and a private key stored by the authenticator, the register record of the first user cannot be found in the authenticator; register state query response information comprising an unregistered register state can be transmitted to the authorized client; authenticator register request transmitted by the authorized client can be received; according to an application identification of a server, the first user can be registered on the server. According to the authentication information of the first user on the server and the private key stored by the authenticator, whether the first user is registered on the server by the authenticator can be accurately determined, and therefore when other users are registered on the server by the authenticator, the first user can be further registered on the same server.

Description

Method and device for realizing authenticator registration

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and a system for authenticator registration.

Background

Early authentication generally relied on username + password. After the user logs in the website, the user name and the password corresponding to the user name need to be input, and the website compares the user name and the password stored by the website, so that whether the user is a legal user is judged. This authentication method requires the website to store the user's password. Whether the password is stored in the clear or in some other encrypted form, there is a risk of leakage.

In order to improve the security of identity authentication, a feasible method is to adopt multivariate authentication, that is, different types of authentication modes are adopted to ensure the validity of the user identity. The U2F (Universal2ndFactor) protocol is a simplified, complementary authentication protocol. The U2F authenticator is positioned as an auxiliary authentication factor and is matched with other passwords such as a webpage password to carry out identity authentication on the user, so that the safety of the user account is effectively improved. The application scenario of the U2F protocol generally includes three logical entities:

a server: the server representing the user identity manager can be a server of a service provider, and also can be a server of an identity provider (IDP);

authenticating the client: the authenticator is connected to a server, such as a browser plug-in.

The authenticator: such as the internet bank shield U.

The authenticator is used for registering and authenticating the user on the server through the authentication client. The authenticator registration process mainly realizes the establishment of an association relationship among the user, the authenticator and the server. After the registration is successful, the authenticator will generate a set of public and private keys, and a private key handle. The authenticator stores the private key, the private key handle and the application identifier, and sends the public key and the private key handle to the server, and the server stores the user identifier, the private key handle and the public key.

The authenticator needs to check whether it has registered on the server for the user before registering to prevent repeated registrations. If the authenticator considers that the user is already registered on the server, no further registration takes place. In the prior art, the method for the authenticator to check whether the authenticator is registered is as follows: according to the registration state inquiry information sent by the authentication client, the authenticator can obtain the application identifier and a private key handle of the server. The authenticator locally inquires a corresponding private key and an application identifier according to the private key handle; if the user is not registered, the current authenticator is considered to have no registration for the user; if the corresponding private key and the application identifier are found, comparing the application identifier with the application identifier of the server in the registration state query message, and if the application identifier and the application identifier are different, determining that the user is not registered on the current authenticator; if the application identifier is the same as the application identifier of the server in the registration status query message, the current authenticator is considered to have registered with the server for the user.

However, this method cannot actually determine whether a user is registered on the server. For example, a first user has registered with a server (say a chinese bank) using a first authenticator that maintains a registration record { appid ═ boc.com; keyhandle ═ 1; key aaa, and a registration record { public key 12345; keyhandle ═ 1; ID ═ first subscriber identity }. The second user uses a second authenticator to register on the server, and the registration record kept by the second authenticator for the second user is { appid ═ boc.com; keyhandle ═ 1; license ═ bbbb }. On the server side, a registration record { public key ═ 23456 that the second user registers with the second authenticator is stored; keyhandle ═ 1; ID ═ second subscriber identity }.

According to the prior art, when a first user wishes to register with a server by using a second authenticator, the second authenticator checks whether the first user is registered with the server according to the registration record of the first user with the server. Specifically, the server obtains, according to the first user identifier, a registration record { public key ═ 12345 of the first user on the server; keyhandle ═ 1; ID ═ first subscriber identity }. The server records (12345) according to the registration record { publicKey ═ 12345; keyhandle ═ 1; com, and the registration request includes an application identifier boc of the server and a private key handle keyhandle in a registration record of the first user on the server, which is 1. And the authentication client constructs a registration state query message according to the application identifier boc of the server in the registration request message and the private key handle keyhandle 1 in the registration record of the first user on the server, and sends the registration state query message to the second authenticator. The second authenticator can find the registration record { appid ═ boc.com of the second user according to the private key handle ═ 1 in the registration record of the first user on the server; keyhandle ═ 1; and the license is bbbb, and the appid in the registration record of the second user is the same as the application identifier of the server. Thus, the second authenticator may consider that the registration on the server has been completed for the first user. Thus, the first user will not be able to register with the second authenticator, causing a problem that the same authenticator cannot be used by multiple users on the same server.

Disclosure of Invention

The embodiment of the invention provides a method and a device for registering an authenticator, which can further register a first user on the same server under the condition that the authenticator is already registered on the server for other users.

In a first aspect, an embodiment of the present invention provides a method for authenticator registration, including receiving a registration status query message sent by an authentication client; wherein, the registration state inquiry message contains the authentication information of the first user on the server; determining that the registration record of the first user does not exist on the authenticator according to the authentication information and a private key stored by the authenticator; sending a registration state query response message of which the registration state is unregistered to the authentication client; receiving an authenticator registration request sent by the authentication client, wherein the authenticator registration request comprises an application identifier of the server; and registering the first user on the server according to the application identifier of the server.

With reference to the first aspect, in a first possible implementation manner of the first aspect, after the registering the first user on the server according to the application identifier of the server, the method further includes: and sending an authenticator registration response to the authentication client according to the authenticator registration request, wherein the authenticator registration response comprises a public key and a private key handle generated by the authenticator, so that the authentication client can send a first registration response to the server, and the first registration response comprises the public key and the private key handle generated by the authenticator.

With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the determining, according to the authentication information and a private key stored in an authenticator, that the registration record of the first user does not exist on the authenticator includes: encrypting a first parameter using a public key in a registration record of the first user saved on the server; determining that the encrypted first parameter cannot be decrypted using a private key held by the authenticator, wherein the first parameter comprises at least one of any parameters known to the authenticator; or encrypting the first parameter by using a private key stored by the authenticator; determining that the encrypted first parameter cannot be decrypted using a public key in the first user's registration record on the server, wherein the first parameter comprises at least one of any parameters known to the authenticator.

With reference to the first aspect or the first possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the determining that the registration record of the first user does not exist on the authenticator according to the authentication information and a private key stored in the authenticator is that the authentication information is information obtained by encrypting a second parameter by using a public key in the registration record of the first user stored on the server by the server, and specifically includes: decrypting the encrypted information by using a private key stored by the authenticator, and determining that the encrypted information cannot be decrypted by using the private key stored by the authenticator; wherein the second parameter comprises at least one of any parameter known to the authenticator.

With reference to the first aspect and any one of the first implementation manner to the third implementation manner of the first aspect, in a fourth implementation manner of the first aspect, the registration state query message further includes a private key handle in the registration record of the first user, which is stored on the server and corresponds to the authentication information; before determining that the registration record of the first user does not exist on the authenticator according to the authentication information and a private key stored by the authenticator, the method further comprises: acquiring a registration record stored by an authenticator according to a private key handle in the registration record of the first user stored on the server; and acquiring a private key stored by the authenticator according to the acquired registration record stored by the authenticator.

In a second aspect, an embodiment of the present invention provides a method for authenticator registration, including: receiving a first registration request sent by a server, wherein the first registration request comprises authentication information of a first user on the server and an application identifier of the server; sending a registration state query message to an authenticator, wherein the registration state query message contains the authentication information; receiving a registration state query response message sent by the authenticator, wherein the registration state query response message contains a registration state indicating unregistered; and sending an authenticator registration request to the authenticator, wherein the authenticator registration request comprises the application identifier of the server.

With reference to the second aspect, in a first implementation manner of the second aspect, after the sending of the registration request to the authenticator, the method further includes: receiving an authenticator registration response sent by the authenticator, wherein the authenticator registration response comprises a public key and a private key handle generated by the authenticator; and sending a first registration response to the server according to the authenticator registration response, wherein the first registration response comprises a public key and a private key handle generated by the authenticator.

With reference to the second aspect or the first implementation manner of the second aspect, in a second implementation manner of the second aspect, the authentication information is a public key in a registration record of the first user, where the registration record is stored on the server; or the authentication information is obtained by the server encrypting the second parameter by using the public key in the registration record of the first user stored on the server; wherein the second parameter comprises at least one of any parameter known to the authenticator.

In a third aspect, an embodiment of the present invention provides a registration method for an authenticator, including sending a first registration request to an authentication client after receiving a registration request triggered by a first user, where the first registration request includes authentication information of the first user on a server and an application identifier of the server; receiving a first registration response sent by the authentication client; wherein the first registration response comprises a public key and a private key handle generated by an authenticator; and storing the public key and the private key handle generated by the authenticator into the registration record of the first user on the server.

With reference to the third aspect, in a first implementation manner of the third aspect, the authentication information is a public key in a registration record of the first user, where the registration record is stored on the server; or the server uses the public key in the registration record of the first user stored on the server to encrypt the second parameter to obtain information; wherein the second parameter comprises at least one of any parameter known to the authenticator.

In a fourth aspect, an embodiment of the present invention provides an authenticator registration apparatus, including a receiving module: the system comprises a register state query message used for receiving a register state query message sent by an authentication client; wherein, the registration state inquiry message contains the authentication information of the first user on the server; a determination module: the authentication module is used for receiving the registration state inquiry message sent by the first user from the first user, and sending the registration state inquiry message to the receiving module; a sending module: a registration state query response message for sending a registration state of unregistered to the authentication client; the receiving module is further configured to receive an authenticator registration request sent by the authentication client, where the authenticator registration request includes an application identifier of the server; a registration module: the server is used for registering the first user on the server according to the application identifier of the server received by the receiving module.

With reference to the fourth aspect, in a first implementation manner of the fourth aspect, the sending module is further configured to send an authenticator registration response to the authentication client according to the authenticator registration request, where the authenticator registration response includes a public key and a private key handle generated by the authenticator, so that the authentication client sends a first registration response to the server, where the first registration response includes the public key and the private key handle generated by the authenticator.

With reference to the fourth aspect or the first implementation manner of the fourth aspect, in a second implementation manner of the fourth aspect, the authentication information is a public key in a registration record of the first user that is stored on the server, and the determining module is specifically configured to: encrypting a first parameter using a public key in a registration record of the first user saved on the server; determining that the encrypted first parameter cannot be decrypted using a private key held by the authenticator, wherein the first parameter comprises at least one of any parameters known to the authenticator; or encrypting the first parameter by using a private key stored by the authenticator; determining that the encrypted first parameter cannot be decrypted using a public key in the first user's registration record on the server, wherein the first parameter comprises at least one of any parameters known to the authenticator.

With reference to the fourth aspect or the first implementation manner of the fourth aspect, in a third implementation manner of the fourth aspect, the authentication information is information obtained by encrypting, by the server, a second parameter by using a public key in the registration record of the first user, where the public key is stored in the server, and the determining module is specifically configured to: decrypting the encrypted information by using a private key stored by the authenticator, and determining that the encrypted information cannot be decrypted by using the private key stored by the authenticator; wherein the second parameter comprises at least one of any parameter known to the authenticator.

With reference to the fourth aspect and any one of the first implementation manner to the third implementation manner of the fourth aspect, in a fourth implementation manner of the fourth aspect, the registration state query message further includes a private key handle in the registration record of the first user, which is stored on the server and corresponds to the authentication information; before the determining module is configured to determine, according to the authentication information and a private key stored in an authenticator, that a registration record of the first user does not exist on the authenticator, the apparatus further includes: an acquisition module: the server is used for acquiring a registration record stored by an authenticator according to a private key handle in the registration record of the first user stored on the server; the obtaining module is further configured to obtain a private key stored by the authenticator according to the obtained registration record stored by the authenticator.

In a fifth aspect, an embodiment of the present invention provides an authentication client, including a receiving module: the system comprises a first server and a second server, wherein the first server is used for sending a first registration request to the second server; a sending module: the authentication module is used for receiving a first registration request sent by the authentication module, and sending a registration state query message to the authenticator according to the first registration request received by the receiving module, wherein the registration state query message comprises the authentication information; the receiving module is further configured to receive a registration state query response message sent by the authenticator, where the registration state query response message includes a registration state indicating unregistered; the sending module is further configured to send an authenticator registration request to the authenticator according to the registration status query message received by the receiving module, where the authenticator registration request includes the application identifier of the server.

With reference to the fifth aspect, in a first implementation manner of the fifth aspect, after the sending module is configured to send an authenticator registration request to the authenticator, the authentication client further includes: the receiving module is further configured to receive an authenticator registration response sent by the authenticator, where the authenticator registration response includes a public key and a private key handle generated by the authenticator; the sending module is further configured to send a first registration response to the server according to the authenticator registration response received by the receiving module, where the first registration response includes a public key and a private key handle generated by the authenticator.

With reference to the fifth aspect or the first implementation manner of the fifth aspect, in a second implementation manner of the fifth aspect, the authentication information is a public key in a registration record of the first user, where the registration record is stored on the server; or the authentication information is obtained by the server encrypting the second parameter by using the public key in the registration record of the first user stored on the server; wherein the second parameter comprises at least one of any parameter known to the authenticator.

In a sixth aspect, an embodiment of the present invention provides a registration server of an authenticator, including a sending module: the authentication server is used for sending a first registration request to an authentication client after receiving a registration request triggered by a first user, wherein the first registration request comprises authentication information of the first user on the server and an application identifier of the server; a receiving module: the first registration response is used for receiving the first registration response sent by the authentication client; wherein the first registration response comprises a public key and a private key handle generated by an authenticator; a storage module: the public key and private key handle generated by the authenticator are saved in the registration record of the first user on the server.

With reference to the sixth aspect, in a first implementation manner of the sixth aspect, the authentication information is a public key in a registration record of the first user, where the registration record is stored on the server; or the server uses the public key in the registration record of the first user stored on the server to encrypt the second parameter to obtain information; wherein the second parameter comprises at least one of any parameter known to the authenticator.

In a seventh aspect, an embodiment of the present invention provides an authenticator registration apparatus, including: a processor, a memory; wherein the memory has a computer readable program stored therein; the processor is configured to execute the program in the memory to perform the method provided by any one of the implementation manners of the first aspect.

The authenticator of the embodiment can accurately judge whether the authenticator is registered on the server for the first user according to the authentication information of the first user on the server and the private key stored by the authenticator, so that the first user can be further registered on the same server under the condition that the authenticator is registered on the server for other users.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a flowchart of a method for registering an authenticator according to an embodiment of the present invention;

fig. 2 is a flowchart of a method for registering an authenticator according to another embodiment of the present invention;

fig. 3 is a flowchart of a method for registering an authenticator according to another embodiment of the present invention;

fig. 4 is a signaling interaction diagram of an authenticator registration method according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of an authenticator registration apparatus according to an embodiment of the present invention;

fig. 6 is a schematic structural diagram of an authentication client according to an embodiment of the present invention;

fig. 7 is a schematic structural diagram of a server according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of an authenticator registration apparatus according to an embodiment of the present invention;

fig. 9 is a schematic structural diagram of an authentication client according to an embodiment of the present invention;

fig. 10 is a schematic structural diagram of a server according to an embodiment of the present invention;

fig. 11 is a schematic structural diagram of a system for authenticator registration according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The method for registering the authenticator in the embodiment of the present invention may be implemented on any U2F device, such as an internet banking U shield. The server may be a server of a service provider such as china bank, naughty or gaming platform or a server of an independent identity provider. When a user wishes to use an account on a server, the user identity needs to be authenticated first. In order to authenticate the identity of the user, the user needs to register on the server by using the authenticator. The authenticator can authenticate the client to register on the server for the user through a browser plug-in or the like. In an embodiment of the invention, a first user already has a first authenticator and the first authenticator has registered with the server for the first user. A user wishes to register himself on the same server using a second authenticator that has registered on the same server for other users.

Referring to fig. 1, fig. 1 shows an embodiment of a method for authenticator registration according to the present invention, where the method of the embodiment includes:

102. the authenticator receives a registration state query message sent by the authentication client; wherein, the registration state inquiry message contains the authentication information of the first user on the server;

specifically, before the authenticator registers on the server for the first user to generate a pair of public and private keys and a private key handle, the authentication client constructs a registration state query message, queries the registration state of the authenticator, and determines whether the authenticator has registered on the server for the first user, so as to avoid the occurrence of repeated registration.

Specifically, before the authenticator receives a registration status query message sent by the authentication client, the authentication client receives a first registration request sent by the server, wherein the first registration request message includes the authentication information. And the authentication client constructs the registration state query message according to the first registration request.

104. Determining that the registration record of the first user does not exist on the authenticator according to the authentication information and a private key stored by the authenticator;

when the authenticator registers for the user on the server, a public key, a private key and a private key handle are generated. The authenticator saves the private key and the private key handle as the registration record of the user on the authenticator, and sends the public key and the private key handle to the server through the authentication client, and the server saves the public key and the private key handle in the registration record of the user on the server.

Optionally, the authenticating message is a public key in a registration record of the first user stored in the server, and determining that the registration record of the first user does not exist on the authenticator according to the authenticating message and a private key stored in the authenticator specifically includes: encrypting a first parameter using a public key in a registration record of the first user saved on the server; determining that the encrypted first parameter cannot be decrypted using a private key held by the authenticator, wherein the first parameter comprises at least one of any parameter known to the authenticator, such as at least one of a nonce generated by the authenticator, an authenticator-held private key, and a handle to the private key held by the authenticator; or encrypting the first parameter by using a private key stored by the authenticator; determining that the encrypted first parameter cannot be decrypted using a public key in the first user's registration record on the server, wherein the first parameter comprises at least one of any parameter known to the authenticator, such as at least one of a nonce generated by the authenticator, an authenticator-held private key, and a handle to the authenticator-held private key.

Optionally, the authenticating information is information obtained by encrypting a second parameter by using, by the server, a public key in a registration record of the first user stored in the server, and the determining that the registration record of the first user does not exist in the authenticator according to the authenticating information and a private key stored in the authenticator specifically includes: decrypting the encrypted information by using a private key stored by the authenticator, and determining that the encrypted information cannot be decrypted by using the private key stored by the authenticator; wherein the second parameter comprises at least one of any parameter known to the authenticator, such as at least one of an application identification of the server and a private key handle stored in a registration record of the first user on the server.

The two methods for determining that the first user registration record does not exist on the authenticator are both based on the fact that different keys, namely a public key and a private key, are used for encryption and decryption in a modern cryptosystem, the two keys can be used for encryption and decryption of each other, and one public key corresponds to one private key. If data is encrypted with one of the keys, only the corresponding key can be decrypted. If decryption of data is possible with one of the keys, the data must be encrypted by the corresponding key. By the encryption and decryption method, whether the registration record of the first user exists on the authenticator can be accurately determined. The two methods are distinguished in that: when the authentication information is a public key in the registration record of the first user stored on the server, the encryption and decryption operations are both performed by an authenticator; when the authentication information is information obtained by the server after encrypting the second parameter by using the public key in the registration record of the first user stored in the server, the encryption operation is performed by the server, and the decryption operation is performed by the authenticator. Because the authenticator and the server are provided with the encryption and decryption functional modules, the method does not need to add extra hardware support and extra safe storage space.

It should be noted that, when a plurality of authenticator registration records exist in an authenticator, each authenticator registration record includes a private key, and at this time, it is necessary to determine whether the first user registration record exists on the authenticator according to the authentication information and all private keys stored in the authenticator. For example, m registration records are provided on the authenticator, where m is a positive integer, and it can be determined whether the first authenticator registration record is the registration record of the first user according to the private key stored in the first authenticator registration record and the authentication message; it can be determined whether the second authenticator registration record is the registration record of the first user, etc. according to the private key and the authentication message stored in the second authenticator registration record. When none of the m registration records is a registration record of a first user, determining that the registration record of the first user does not exist on the authenticator.

Optionally, in step 102, the registration status query message further includes a private key handle in the registration record of the first user, which is stored on the server and corresponds to the authentication information. Specifically, when the authentication information is a public key in the registration record of the first user stored in the server or information obtained by encrypting the second parameter by using the public key in the registration record of the first user stored in the server by the server, the private key handle in the registration record of the first user corresponding to the authentication information is the private key handle in the registration record in which the public key is located. The authenticator first obtains the registration record stored by the authenticator according to the private key handle in the registration record of the first user stored on the server, and then the authenticator obtains the private key stored by the authenticator according to the registration record stored by the authenticator. Further, according to the authentication information and a private key stored by an authenticator, it is determined that the first user registration record does not exist on the authenticator. When a plurality of registration records exist on the authenticator, the fact that the registration record of the first user does not exist on the authenticator can be determined only by judging once, and therefore efficiency of inquiring the registration state of the authenticator is improved.

Step 106: sending a registration state query response message of which the registration state is unregistered to the authentication client;

specifically, when it is determined that the registration record of the first user does not exist on the authenticator according to the authentication information and the private key stored by the authenticator, it indicates that the authenticator has not registered on the server for the first user, and the authenticator sends a registration state query response message to the authentication client and identifies that the registration state is "unregistered".

Optionally, when it is determined that the registration record of the first user exists on the authenticator according to the authentication information and the private key stored in the authenticator, it indicates that the authenticator is already registered on the server for the first user and does not need to register any more, and the authenticator returns a registration state query response message to the authentication client and identifies that the registration state is "registered".

Specifically, the registration status query response message may adopt a usbadpu (universal serial bus protocols data units) message, and the specific format is as follows:

-registered: beginning with 0x690x85, no payload

-unregistered: beginning with 0x6A0x80, no payload

And after receiving the registration state query response message, the authentication client determines whether the authenticator is registered on the server for the first user according to the registration state query response message.

Step 108: receiving a registration request sent by an authentication client, wherein the authentication device registration request comprises an application identifier of the server;

specifically, after receiving a registration state query response message sent by the authenticator and having a registration state of "unregistered", the authentication client constructs a registration request and sends the registration request to the authenticator. The registration request comprises an application identifier of the server to indicate that the authenticator is registered on the server for the first user.

Step 110: and registering the first user on the server according to the application identifier of the server.

Specifically, the authenticator registers the first user on the server according to the application identifier of the server in the authenticator registration request, so that generating a pair of public and private keys and a private key handle is well known to those skilled in the art, and therefore, the present invention is not described in detail herein. The private key handle is an index of the private key inside the authenticator, and the generation method is not fixed, for example, the authenticator generates a random number, but the private key handle may be a simple random number due to the limited secure storage space of the authenticator.

Optionally, after registering the first user on the server according to the registration request, the authenticator returns an authenticator registration response to the authenticator client, where the registration response includes a public key and a private key handle generated by the authenticator for registering the first user on the server. And the authenticator client sends a first registration response to the server according to the authenticator registration response, wherein the first registration response comprises a public key and a private key handle generated by the authenticator for the first user to register on the server.

Optionally, before step 102, the authentication client receives a first registration request sent by the server, and the authentication client constructs a registration status query message according to the first registration request. The authentication information of the first user on the server, the private key handle in the registration record of the first user stored on the server and the application identifier of the server can be carried by the first registration request.

Fig. 2 is a flowchart of a second method for registering an authenticator according to the present invention. The embodiment of the method describes a processing flow of an authentication client, which may be software or a software plug-in installed on a computer, a tablet or a terminal, such as a browser or a browser plug-in. As shown in fig. 2, the method comprises the steps of:

step 202: receiving a first registration request sent by a server, wherein the first registration request comprises authentication information of a first user on the server and an application identifier of the server;

optionally, before the server sends the first registration request, the first user is required to trigger a registration process, and the server verifies the validity of the user identity through a user account password, a short message, or voice, and further in combination with the registered authenticator, that is, the first user needs to log in the server first, determine that the authenticator registration is required, and after the identity is confirmed, the server sends the first registration request. Wherein the registered authenticator refers to an authenticator used by the first user when the first user previously registered on the server.

Specifically, the authentication information is a public key in the registration record of the first user stored on the server or information obtained by encrypting a second parameter by using the public key in the registration record of the first user stored on the server by the server; wherein the second parameter comprises at least one of any parameter known to the authenticator, such as at least one of an application identification of the server and a private key handle stored in a registration record of the first user on the server.

Optionally, the first registration request further includes a private key handle in the registration record of the first user, which is stored on the server and corresponds to the authentication information.

Step 204: sending a registration state query message to an authenticator, wherein the registration state query message contains the authentication information;

optionally, when the first registration request further includes a private key handle in the registration record of the first user corresponding to the authentication information and stored on the server, the registration status query message further includes a private key handle in the registration record of the first user corresponding to the authentication information and stored on the server.

Step 206: receiving a registration state query response message sent by the authenticator, wherein the registration state query response message contains a registration state indicating unregistered;

specifically, the registration state query response message is sent by the authenticator after the authenticator judges whether the authenticator is registered on the server for the first user according to the authentication information in the registration state query message and the private key stored in the authenticator. Returning a registration status response message and identifying that the registration status is "registered" if the authenticator has registered on the server for the first user; if the authenticator has not registered on the server for the first user, a registration status response message is returned and the registration status is identified as "unregistered".

Specifically, the registration status response message may adopt a usbadpu (universal serial bus protocols data units) message, and the specific format is as follows:

-registered: beginning with 0x690x85, no payload

-unregistered: beginning with 0x6A0x80, no payload

After receiving the registration state response message, the authentication client can determine whether the authenticator is registered on the server for the first user according to the format of the registration state query response message.

Step 208: and sending an authenticator registration request to the authenticator, wherein the authenticator registration request comprises the application identifier of the server.

Specifically, after receiving the registration state query response message, the authentication client sends an authenticator registration request to the authenticator when determining that the authenticator is not registered on the server for the first user, and instructs the authenticator to register the first user on the server. The authenticator registration request includes an application identifier of the server or includes hash of the application identifier of the server.

It should be noted that the first user may have N registration records on the server, and the first registration request in step 202 includes N authentication information accordingly. In step 204, the authentication client constructs a registration status query message according to each authentication information in the first registration request, i.e. the authentication client constructs N registration status query messages. Specifically, when there are P authenticators connected to the authentication client, the authentication client sends one of the N registration inquiry messages to the P authenticators. When each authenticator receives each registration state query message, each authenticator judges whether the authenticator registers on the server for the first user, and returns a corresponding registration state query response message. When the authentication client receives a registration state query response message that the registration state returned by a certain authenticator A according to a certain registration state query message is 'unregistered', the authentication client sends an authenticator registration request to the authenticator A according to the registration state query response message. The user then decides whether to register with authenticator a, such as the user pressing a confirmation key on authenticator a.

Further, the authentication client receives an authenticator registration response sent by the authenticator, wherein the authenticator registration response comprises a public key and a private key handle generated by the authenticator. And the authentication client sends a first registration response to the server according to the authenticator registration response, wherein the first registration response comprises a public key and a private key handle generated by the authenticator.

In this embodiment, the authentication client constructs a registration status query message according to the authentication information of the first user on the server, so that the authenticator can accurately determine whether the first user is registered on the server according to the authentication information and a private key stored in the authenticator, and thus, the authenticator can further register the first user on the same server when the first user is registered on the server for other users.

Fig. 3 is a flowchart of a third method for registering an authenticator according to the present invention. The processing flow of the server described in the embodiment of the present method may be a website or a platform providing various services, such as a chinese bank, a naughty or a game platform. As shown in fig. 3, the method comprises the steps of:

step 302: after receiving a registration request triggered by a first user, sending the first registration request to an authentication client, wherein the first registration request comprises authentication information of the first user on a server and an application identifier of the server;

specifically, when the first user wishes to register with the server using the authenticator, the authenticator registration process needs to be triggered first, for example, after the first user logs in the server, click "register". And then the server confirms whether the identity of the first user is legal or not, and sends a first registration request to the authentication client after the identity of the first user is confirmed to be legal, wherein the first registration request message comprises authentication information of the first user on the server. It should be noted that the first user may have N registration records on the server, and at this time, the first registration request correspondingly includes N authentication information. For convenience of description, in the embodiment of the present invention, it is assumed that the first user has only one registration record in the server.

Specifically, the determining that the identity of the first user is legal includes: the server verifies the validity of the user identity through the user account password, the short message or the voice and the like and further in combination with the registered authenticator, namely, the first user needs to log in the server first and starts the authenticator registration process after the identity is confirmed. Wherein the registered authenticator refers to an authenticator used by the first user when the first user previously registered on the server.

The authentication information is a public key in the registration record of the first user stored on the server or information obtained by encrypting a second parameter by using the public key in the registration record of the first user stored on the server by the server; wherein the second parameter comprises at least one of any parameter known to the authenticator, such as at least one of an application identification of the server and a private key handle stored in a registration record of the first user on the server.

The application identifier of the server is used for indicating that the authenticator registers on the server for the first user.

Step 304: receiving a first registration response sent by the authentication client, wherein the first registration response comprises a public key and a private key handle generated by an authenticator;

optionally, when the authenticator has registered on the server for the first user, the content of the first registration response is empty.

Step 306: and storing the public key and the private key handle generated by the authenticator into the registration record of the first user on the server.

Optionally, before storing the public key and private key generated by the authenticator in the registration record of the first user on the server, the server verifies whether the received first registration response corresponds to the sent first registration request. If not, discarding the first registration response; and if so, the server acquires an authenticator registration generated public key and private key handle according to the received first registration response, and stores the authenticator generated public key and private key handle into the registration record of the first user on the server. Further, the registration record of the first user on the server further includes a user identifier of the first user, where the user identifier of the first user is generated during the authentication of the first user in step 302, for example, a user name of the first user may be used.

In this embodiment, the authentication information of the first user on the server is carried in the first registration request sent by the server to the authentication client, so that the authenticator determines whether the authenticator has already registered on the server for the first user according to the authentication information of the first user on the server and the private key stored in the authenticator, and thus, under the condition that the authenticator has already registered on the server for other users, the first user can further register on the same server.

Fig. 4 is a signaling interaction diagram of a fourth method for registering an authenticator according to the present invention. The embodiment of the method relates to a processing flow of mutual cooperation of an authenticator, an authentication client and a server for registration. Wherein, the authenticator can be any U2F device, such as a U shield; the authentication client can be software or a software plug-in on a computer, a tablet or a terminal, such as a browser or a browser plug-in; the server may be a server of a service provider such as china bank, naughty or gaming platform, or a server of an independent identity provider. In embodiments of the invention, a user already has a first authenticator and the first authenticator has registered with the server for the user. A user wishes to register himself on the same server using a second authenticator that has registered on the same server for other users. To prevent duplicate registrations, it is necessary to determine whether the authenticator has already registered with the server for the user. As shown in fig. 2, the method comprises the steps of:

step 402-step 404: the server firstly verifies the validity of the user identity through the modes of a user account password, a short message or voice and the like and further in combination with the registered authenticator; wherein the registered authenticator refers to an authenticator used by the first user when the first user previously registered on the server.

Specifically, in step 402, the first user needs to log in the server by using the authentication client, and input the user identity information through a user account password, a short message, or voice, and further in combination with the registered authenticator. After the identity of the first user is confirmed by the server, step 406 is entered, thereby entering the authenticator registration procedure.

The authentication needs to be performed in combination with the registered authenticator, which mainly aims to prevent malicious registration of others caused by the loss of the user name and password of the user, thereby affecting the account security of the user.

Step 406: the server constructs a first registration request;

specifically, the first registration request includes authentication information of the first user on the server, a protocol version number of the authenticator to be registered, and an application identifier of the server; optionally, the first registration request further includes a private key handle in a registration record of the first user corresponding to the authentication message, which is stored on the server.

Step 408: the server sends a first registration request to the authentication client;

step 410: the authentication client acquires the protocol version number of the authenticator and the application identifier of the server according to the first registration request; confirming that the protocol version is correct and that the first registration request was issued by the server.

Optionally, if the protocol version number of the authenticator to be registered is incorrect, the user is prompted to upgrade the authenticator, and after the upgrade is completed, the authenticator registration process is continued. If the authenticator protocol version number to register is correct, then it is confirmed that the first registration request was issued by the server. Specifically, the first registration request received by the authenticator may be sent by a server that the first user wishes to register with, or may be sent by a phishing website in the network by counterfeiting. In order to ensure the security of the registration information of the first user, the authentication client verifies whether the first registration request is sent by the server according to the application identifier of the server. Therefore, the risk of phishing websites can be effectively avoided. It should be noted that, it is well known to those skilled in the art how to specifically confirm that the protocol version is correct and how to verify, by the authentication client, whether the first registration request is issued by the server according to the application identifier of the server, and therefore, the embodiment of the present invention is not limited thereto.

Step 412: the authentication client constructs a registration state query message and sends the registration state query message to an authenticator, wherein the registration state query message contains authentication information of a first user on a server;

specifically, before the authenticator registers with the server for the first user, it is necessary to confirm whether the authenticator has already registered with the server for the first user. Otherwise, repeated registration may occur, which may occupy the resources of the authenticator because the secure storage space of the authenticator is limited. The secure storage space refers to a specific secure module in a chip of the authenticator. The security module can only be read and written by the authenticator and cannot be read/copied/changed from the outside. This portion of the secure storage space is typically small for cost reasons. However, in essence, since the authenticator repeatedly registers and uses the same algorithm to generate the public and private keys, the strength of the public and private keys generated by repeated registration is not changed, the security of identity authentication is not increased, and other problems are caused. Therefore, the phenomenon of repeated registration is to be avoided when the authenticator is registered.

Specifically, the authentication client constructs a registration status query message and sends the registration status query message to all authenticators connected to the authentication client. The registration status query message contains authentication information of the first user on the server. Optionally, the registration status query message may further include a private key handle in the registration record of the first user, which is stored on the server and corresponds to the authentication message.

Step 414: the authenticator sends a registration status query response message to the authentication client and identifies that the registration status is "unregistered", entering step 416;

before executing the step, the authenticator acquires the authentication information of the first user on the server according to the registration state inquiry message. Further, the authenticator determines that the registration record of the first user does not exist on the authenticator according to the authentication information and a private key stored by the authenticator.

In this embodiment, the authentication information may be a public key in the registration record of the first user stored on the server, or may be information obtained by encrypting a second parameter with the public key in the registration record of the first user stored on the server by the server, where the second parameter includes at least one of any parameters known by the authenticator, such as at least one of an application identifier of the server and a private key handle stored in the registration record of the first user on the server.

Optionally, the authenticating message is a public key in a registration record of the first user stored in the server, and determining that the registration record of the first user does not exist on the authenticator according to the authenticating message and a private key stored in the authenticator specifically includes: encrypting a first parameter using a public key in a registration record of the first user saved on the server; determining that the encrypted first parameter cannot be decrypted using the authenticator-maintained private key, wherein the first parameter comprises at least one of any parameter known to the authenticator, such as at least one of the authenticator-generated random number, an authenticator-maintained private key, and an authenticator-maintained private key handle; or encrypting the first parameter by using a private key stored by the authenticator; determining that the encrypted first parameter cannot be decrypted using a public key in the first user's registration record on the server, wherein the first parameter comprises at least one of any parameter known to the authenticator, such as at least one of a nonce generated by the authenticator, an authenticator-held private key, and an authenticator-held private key handle.

Optionally, the authenticating information is obtained by encrypting a second parameter by the server using a public key in the registration record of the first user stored in the server, and determining that the registration record of the first user does not exist on the authenticator according to the authenticating information and a private key stored in the authenticator, specifically including:

decrypting the encrypted information by using a private key stored by the authenticator, and determining that the encrypted information cannot be decrypted by using the private key stored by the authenticator; wherein the second parameter comprises at least one of any parameter known to the authenticator, such as at least one of an application identification of the server and a private key handle stored in a registration record of the first user on the server.

The two methods for determining that the first user registration record does not exist on the authenticator are both based on the fact that different keys, namely a public key and a private key, are used for encryption and decryption in a modern cryptosystem, and the two keys can be used for encryption and decryption of each other. And one public key corresponds to one private key. If data is encrypted with one of the keys, only the corresponding key can be decrypted. If decryption of data is possible with one of the keys, the data must be encrypted by the corresponding key. By the encryption and decryption method, whether the registration record of the first user exists on the authenticator can be accurately determined. The two methods are distinguished in that: when the authentication information is a public key in the registration record of the first user stored on the server, the encryption and decryption operations are both performed by an authenticator; when the authentication information is information obtained by the server after encrypting the second parameter by using the public key in the registration record of the first user stored in the server, the encryption operation is performed by the server, and the decryption operation is performed by the authenticator. Because the authenticator and the server are provided with the encryption and decryption functional modules, the method does not need to add extra hardware support and extra safe storage space.

Optionally, in step 412, the registration status query message further includes a private key handle in the registration record of the first user, which is stored on the server and corresponds to the authentication information. Specifically, when the authentication information is a public key in the registration record of the first user stored in the server or information obtained by encrypting the second parameter by using the public key in the registration record of the first user stored in the server by the server, the private key handle in the registration record of the first user corresponding to the authentication information is the private key handle in the registration record in which the public key is located. The authenticator first obtains the registration record stored by the authenticator according to the private key handle in the registration record of the first user stored on the server, and then the authenticator obtains the private key stored by the authenticator according to the registration record stored by the authenticator. Further, according to the authentication information and a private key stored by an authenticator, it is determined that the first user registration record does not exist on the authenticator. When a plurality of registration records exist on the authenticator, the fact that the registration record of the first user does not exist on the authenticator can be determined only by judging once, and therefore efficiency of inquiring the registration state of the authenticator is improved.

When the fact that the registration record of the first user exists on the authenticator is determined, the authenticator is indicated to be registered on the server for the first user, registration is not needed, and the authenticator returns a registration state query response message with a registration state of 'registered' to the authentication client; and when the authenticator is determined not to have the registration record of the first user, the authenticator does not register the authenticator on the server for the first user, and the authenticator authentication client sends a registration state inquiry response message with the registration state of 'unregistered'.

-registered: beginning with 0x690x85, no payload

Unregistered: beginning with 0x6A0x80, no payload

After receiving the registration state response message, the authentication client can determine whether the authenticator is registered on the server for the first user according to the format of the state query response message.

Step 418: the authentication client sends a registration request to an authenticator, wherein the registration request comprises an application identifier of the server;

specifically, after receiving the registration state query response message, the authentication client sends the registration request to the authenticator when determining that the authenticator is not registered on the server for the first user. The registration request includes an application identifier of the server or hash of the application identifier of the server.

It should be noted that the first user may have N registration records on the server, and at this time, the first registration request in step 405 and 408 correspondingly includes N authentication information. In step 412, the authentication client constructs a registration status query message according to each authentication information in the first registration request, i.e. the authentication client constructs N registration status query messages. Specifically, when there are P authenticators connected to the authentication client, the authentication client sends one of the N registration inquiry messages to the P authenticators. When each authenticator receives each registration state query message, each authenticator judges whether the authenticator registers on the server for the first user, and returns a corresponding registration state query response message. When the authentication client receives a registration state query response message that the registration state returned by a certain authenticator A according to a certain registration state query message is 'unregistered', the authentication client sends an authenticator registration request to the authenticator A according to the registration state query response message. The user then decides whether to register with authenticator a, such as the user pressing a confirmation key on authenticator a.

Step 418: the authenticator generates a pair of public and private keys and a private key handle according to the application identifier of the server in the received authenticator registration request;

specifically, the generation of a pair of public and private keys and a private key handle by the authenticator is well known to those skilled in the art, and thus the present invention is not described in detail. The private key handle is an index of the private key inside the authenticator, and the generation method is not fixed, for example, the authenticator generates a random number, but the private key handle may be a simple random number due to the limited secure storage space of the authenticator.

Specifically, the authenticator stores the generated private key and private key handle and the application identifier of the server into a registration record of the first user on the authenticator.

Step 420: the authenticator sends an authenticator registration response to the authentication client;

specifically, the authenticator registration response includes the public key and the private key handle generated by the authenticator in step 418.

Optionally, if the authenticator sends the registration state query message for the authentication client and all the registration state query response messages with the registration state of "registered" are fed back, the content of the registration response message is empty.

Step 422: the authentication client sends a first registration response to the server;

specifically, the first registration response includes the public key and the private key handle generated by the authenticator in step 418.

Optionally, if the authenticator sends the registration state query message for the authentication client and all the registration state query response messages with the registration state of "registered" are fed back, the content of the first registration response is null.

Step 424: the server verifies the validity of the received first registration response;

specifically, in order to prevent the first registration response from being tampered, the server needs to verify the validity of the received first registration response, and specifically, how to verify the validity belongs to a technology known by a person skilled in the art.

Step 426: and the server stores the public key, the private key handle and the user identification of the first user generated by the authenticator into a registration record of the first user on the server.

Wherein the registration record of the first user on the server describes that the authenticator is the registration of the first user on the server. The user identifier of the first user is obtained by the server when verifying the identity of the first user, and may be, for example, a user name of the first user.

Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.

Referring to fig. 5, fig. 5 is a schematic structural diagram illustrating a first embodiment of an authenticator registration apparatus according to the present invention. As shown in fig. 5, the apparatus includes: a receiving module 51, a determining module 52, a sending module 53 and a registering module 54; wherein,

a receiving module 51, configured to receive a registration status query message sent by an authentication client; wherein, the registration state inquiry message contains the authentication information of the first user on the server;

specifically, the authentication information is a public key in the registration record of the first user stored on the server or information obtained by encrypting, by the server, a second parameter using the public key in the registration record of the first user stored on the server, where the second parameter includes at least one of any parameters known to the authenticator, such as at least one of an application identifier of the server and a handle of a private key stored in the registration record of the first user on the server.

The determination module 52: the authentication module is used for receiving the registration state inquiry message sent by the first user from the first user, and sending the registration state inquiry message to the receiving module;

specifically, when the authentication information is a public key in the registration record of the first user stored in the server, the determining module 52 is specifically configured to: encrypting a first parameter using a public key in a registration record of the first user saved on the server; determining that the encrypted first parameter cannot be decrypted using a private key held by the authenticator, wherein the first parameter comprises at least one of any parameter known to the authenticator, such as at least one of a nonce generated by the authenticator, a private key held by the authenticator, and a private key handle held by the authenticator; or encrypting the first parameter by using a private key stored by the authenticator; determining that the encrypted first parameter cannot be decrypted using a public key in the first user's registration record on the server, wherein the first parameter comprises at least one of any parameter known to the authenticator, such as at least one of a nonce generated by the authenticator, a private key held by the authenticator, and a private key handle held by the authenticator.

When the authentication information is information obtained by encrypting a second parameter by the server using a public key in the registration record of the first user stored in the server, the determining module 52 is specifically configured to: decrypting the encrypted information by using a private key stored by the authenticator, and determining that the encrypted information cannot be decrypted by using the private key stored by the authenticator; wherein the second parameter comprises at least one of any parameter known to the authenticator, such as at least one of an application identification of the server and a private key handle stored in a registration record of the first user on the server.

The transmission module 53: a registration state query response message for sending a registration state of unregistered to the authentication client;

the receiving module 51 is further configured to receive an authenticator registration request sent by the authentication client, where the authenticator registration request includes an application identifier of the server;

the registration module 54: the first user is registered on the server according to the application identifier of the server in the authenticator registration request received by the receiving module.

Optionally, the sending module 53 is further configured to send an authenticator registration response to the authentication client according to the authenticator registration request, where the authenticator registration response includes a public key and a private key handle generated by the authenticator, so that the authentication client sends a first registration response to the server, where the first registration response includes the public key and the private key handle generated by the authenticator.

Optionally, the registration status query message received by the receiving module further includes a private key handle in the registration record of the first user, which is stored on the server and corresponds to the authentication information; before the determining module 52 is configured to determine, according to the authentication information and a private key stored in an authenticator, that a registration record of the first user does not exist on the authenticator, the apparatus further includes:

the acquisition module 55: the server is used for acquiring a registration record stored by an authenticator according to a private key handle in the registration record of the first user stored on the server; the obtaining module 55 is further configured to obtain a private key stored in the authenticator according to the obtained registration record stored in the authenticator.

The apparatus provided in the embodiment of the present invention may execute the method embodiment of authenticator registration described in fig. 1, which has similar implementation principles and technical effects, and for specific contents, please refer to the related contents described in fig. 1, which is not described herein again.

Referring to fig. 6, fig. 6 is a schematic structural diagram illustrating an authentication client provided in the present invention. As shown in fig. 5, the apparatus includes: a receiving module 61 and a transmitting module 62; wherein,

the receiving module 61 is configured to receive a first registration request sent by a server, where the first registration request includes authentication information of a first user on the server.

Specifically, the authentication information is a public key in a registration record of the first user stored on the server; or the authentication information is obtained by the server encrypting the second parameter by using the public key in the registration record of the first user stored on the server; wherein the second parameter comprises at least one of any parameter known to the authenticator, such as at least one of an application identification of the server and a private key handle stored in a registration record of the first user on the server.

A sending module 62, configured to send a registration status query message to an authenticator according to the first registration request received by the receiving module, where the registration status query message includes the authentication information;

the receiving module 61 is further configured to receive a registration state query response message sent by the authenticator, where the registration state query response message includes a registration state indicating unregistered;

the sending module 62 is further configured to send an authenticator registration request to the authenticator according to the registration status query message received by the receiving module, where the authenticator registration request includes the application identifier of the server.

Optionally, after the sending module 61 sends an authenticator registration request to the authenticator, the receiving module 61 is further configured to receive an authenticator registration response sent by the authenticator, where the authenticator registration response includes a public key and a private key handle generated by the authenticator. The sending module 62 is further configured to send a first registration response to the server according to the authenticator registration response received by the receiving module, where the first registration response includes a public key and a private key handle generated by the authenticator.

The apparatus provided in the embodiment of the present invention may execute the method embodiment of authenticator registration described in fig. 2, which has similar implementation principles and technical effects, and for details, please refer to the related contents described in fig. 2, which is not described herein again.

Referring to fig. 7, fig. 7 is a schematic structural diagram of a server according to an embodiment of the present invention. As shown in fig. 7, the apparatus includes: a transmitting module 71, a receiving module 72, and a holding module 73; wherein,

the transmission module 71: the authentication server is used for sending a first registration request to an authentication client after receiving a registration request triggered by a first user, wherein the first registration request comprises authentication information of the first user on the server and an application identifier of the server;

specifically, the authentication information is a public key in a registration record of the first user stored on the server; or

The server uses a public key in the registration record of the first user stored on the server to encrypt second parameters to obtain information; wherein the second parameter comprises at least one of any parameter known to the authenticator, such as at least one of an application identification of the server and a private key handle stored in a registration record of the first user on the server.

The receiving module 72: the first registration response is used for receiving the first registration response sent by the authentication client; wherein the first registration response comprises a public key and a private key handle generated by an authenticator;

the saving module 73: the public key and private key handle generated by the authenticator are saved in the registration record of the first user on the server.

The apparatus provided in the embodiment of the present invention may execute the method embodiment of authenticator registration described in fig. 3, which has similar implementation principles and technical effects, and for details, please refer to the related contents described in fig. 3, which is not described herein again.

Referring to fig. 8, an embodiment of the present invention further provides a schematic structural diagram of an authenticator registration apparatus, which may include: a bus 803, a processor 802 coupled to the bus 803, and a memory 801 coupled to the bus 803. The processor 802 may be a general-purpose Central Processing Unit (CPU), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits, and is configured to execute related programs to implement the technical solutions provided by the embodiments of the present invention. The memory 801 may be a Read Only Memory (ROM), a static memory device, a dynamic memory device, or a Random Access Memory (RAM). The memory 801 may store an operating system and other application programs. When the technical solution provided by the embodiment of the present invention is implemented by software or firmware, a program code for implementing the technical solution provided by the embodiment of the present invention is stored in the memory 801 and executed by the processor 802.

Specifically, the processor 802 and the memory 801 communicate via the bus 803; wherein the memory 801 has a computer readable program stored therein; the processor 802 is configured to receive a registration status query message sent by an authenticated client by executing a program in the memory 801; wherein, the registration state inquiry message contains the authentication information of the first user on the server; determining that the registration record of the first user does not exist on the authenticator according to the authentication information and a private key stored by the authenticator; sending a registration state query response message of which the registration state is unregistered to the authentication client; receiving an authenticator registration request sent by the authentication client, wherein the authenticator registration request comprises an application identifier of the server; and registering the first user on the server according to the application identifier of the server.

It can be understood that the authenticator registration apparatus of this embodiment may be used to implement the functions in the method embodiment described in fig. 1, and the specific implementation process may refer to the related description of the above method embodiment, which is not described herein again.

Referring to fig. 9, an embodiment of the present invention further provides a schematic structural diagram of an authenticator client, which may include: a bus 903, a processor 902 coupled to the bus 903, and a memory 901 coupled to the bus 903. The processor 902 may be a general-purpose Central Processing Unit (CPU), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits, configured to execute related programs to implement the technical solutions provided by the embodiments of the present invention. The memory 901 may be a Read Only Memory (ROM), a static memory device, a dynamic memory device, or a Random Access Memory (RAM). The memory 901 may store an operating system and other application programs. When the technical solution provided by the embodiment of the present invention is implemented by software or firmware, a program code for implementing the technical solution provided by the embodiment of the present invention is stored in the memory 901 and executed by the processor 902.

Specifically, the processor 902 and the memory 901 communicate via the bus 903; wherein the memory 901 stores a computer readable program; the processor 902 is configured to execute the program in the memory 901 to receive a first registration request sent by a server, where the first registration request includes authentication information of a first user on the server and an application identifier of the server; sending a registration state query message to an authenticator, wherein the registration state query message contains the authentication information; receiving a registration state query response message sent by the authenticator, wherein the registration state query response message contains a registration state indicating unregistered; and sending an authenticator registration request to the authenticator, wherein the authenticator registration request comprises the application identifier of the server.

It can be understood that the authenticator registration apparatus of this embodiment may be used to implement the functions in the method embodiment described in fig. 2, and the specific implementation process may refer to the related description of the above method embodiment, which is not described herein again.

Referring to fig. 10, an embodiment of the present invention further provides a schematic structural diagram of a server, which may include: a bus 1003, a processor 1002 connected to the bus 1003, and a memory 1001 connected to the bus 1003. The processor 1002 may be a general-purpose Central Processing Unit (CPU), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits, configured to execute related programs to implement the technical solutions provided by the embodiments of the present invention. The memory 1001 may be a Read Only Memory (ROM), a static memory device, a dynamic memory device, or a Random Access Memory (RAM). The memory 1001 may store an operating system and other application programs. When the technical solution provided by the embodiment of the present invention is implemented by software or firmware, a program code for implementing the technical solution provided by the embodiment of the present invention is stored in the memory 1001 and executed by the processor 1002.

Specifically, the processor 1002 and the memory 1001 communicate with each other through the bus 1003; wherein, the memory 1001 stores a computer readable program; the processor 1002 runs the program in the memory 1001, and is configured to send a first registration request to an authentication client after receiving a registration request triggered by a first user, where the first registration request includes authentication information of the first user on a server and an application identifier of the server; receiving a first registration response sent by the authentication client; wherein the first registration response comprises a public key and a private key handle generated by an authenticator; and storing the public key and the private key handle generated by the authenticator into the registration record of the first user on the server.

It can be understood that the authenticator registration apparatus of this embodiment may be used to implement the functions in the method embodiment described in fig. 3, and the specific implementation process may refer to the related description of the above method embodiment, which is not described herein again.

Fig. 11 is a schematic structural diagram of a system for authenticator registration according to an embodiment of the present invention. Referring to fig. 11, the system includes an authenticator 1101 authenticating a client 1102 and a server 1103, wherein:

an authenticator 1101 for receiving a registration status query message sent by an authentication client; wherein, the registration state inquiry message contains the authentication information of the first user on the server; determining that the registration record of the first user does not exist on the authenticator according to the authentication information and a private key stored by the authenticator; sending a registration state query response message of which the registration state is unregistered to the authentication client; receiving an authenticator registration request sent by the authentication client, wherein the authenticator registration request comprises an application identifier of the server; and registering the first user on the server according to the application identifier of the server.

An authentication client 1102 configured to receive a first registration request sent by a server, where the first registration request includesAuthentication information of a first user on a server and an application identifier of the server; sending registration status query messages to an authenticator，The registration state inquiry message contains the authentication information; receiving a registration state query response message sent by the authenticator, wherein the registration state query response message contains a registration state indicating unregistered; and sending an authenticator registration request to the authenticator, wherein the authenticator registration request comprises the application identifier of the server.

The server 1103 is configured to send a first registration request to an authentication client after receiving a registration request triggered by a first user, where the first registration request includes authentication information of the first user on the server and an application identifier of the server; receiving a first registration response sent by the authentication client; wherein the first registration response comprises a public key and a private key handle generated by an authenticator; and storing the public key and the private key handle generated by the authenticator into the registration record of the first user on the server.

The structures and specific processes of the authenticator 1101, the authentication client 1102 and the server 1103 can refer to the above description of the embodiments of the present invention, and are not described herein again.

Through the above description of the embodiments, those skilled in the art will clearly understand that the present invention may be implemented by software plus necessary general hardware, and may also be implemented by special hardware including special integrated circuits, special CPUs, special memories, special components and the like. Generally, functions performed by computer programs can be easily implemented by corresponding hardware, and specific hardware structures for implementing the same functions may be various, such as analog circuits, digital circuits, or dedicated circuits. However, the implementation of a software program is a more preferable embodiment for the present invention. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a readable storage medium, such as a floppy disk, a usb disk, a removable hard disk, a Read-only memory (ROM), a random-access memory (RAM), a magnetic disk or an optical disk of a computer, and includes instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.

The method and apparatus for authenticator registration provided by the embodiment of the present invention are described in detail above, and for those skilled in the art, the idea of the embodiment of the present invention may be changed in the specific implementation and application scope, and therefore, the content of the present specification should not be construed as limiting the present invention.

Claims

1. A method of authenticator registration,

receiving a registration state query message sent by an authentication client; wherein, the registration state inquiry message contains the authentication information of the first user on the server;

determining that the registration record of the first user does not exist on the authenticator according to the authentication information and a private key stored by the authenticator;

sending a registration state query response message of which the registration state is unregistered to the authentication client;

receiving an authenticator registration request sent by the authentication client, wherein the authenticator registration request comprises an application identifier of the server;

and registering the first user on the server according to the application identifier of the server.

2. The method of claim 1, wherein after said registering the first user on the server according to the application identification of the server, the method further comprises:

and sending an authenticator registration response to the authentication client according to the authenticator registration request, wherein the authenticator registration response comprises a public key and a private key handle generated by the authenticator, so that the authentication client can send a first registration response to the server, and the first registration response comprises the public key and the private key handle generated by the authenticator.

3. The method of claim 1 or 2,

the authentication information is a public key in a registration record of the first user stored on the server, and the determining that the registration record of the first user does not exist on the authenticator according to the authentication information and a private key stored in the authenticator specifically includes:

encrypting a first parameter using a public key in a registration record of the first user saved on the server; determining that the encrypted first parameter cannot be decrypted using a private key held by the authenticator, wherein the first parameter comprises at least one of any parameters known to the authenticator; or

Encrypting a first parameter using a private key stored by the authenticator; determining that the encrypted first parameter cannot be decrypted using a public key in the first user's registration record on the server, wherein the first parameter comprises at least one of any parameters known to the authenticator.

4. The method of claim 1 or 2,

the authentication information is information obtained by encrypting a second parameter by using a public key in a registration record of the first user stored in the server by the server, and the determining that the registration record of the first user does not exist in the authenticator according to the authentication information and a private key stored in the authenticator specifically includes:

decrypting the encrypted information by using a private key stored by the authenticator, and determining that the encrypted information cannot be decrypted by using the private key stored by the authenticator; wherein the second parameter comprises at least one of any parameter known to the authenticator, such as at least one of any parameter known to the authenticator.

5. The method according to any one of claims 1 to 4, wherein the registration status query message further includes a private key handle in the registration record of the first user corresponding to the authentication information stored on the server; before determining that the registration record of the first user does not exist on the authenticator according to the authentication information and a private key stored by the authenticator, the method further comprises:

acquiring a registration record stored by an authenticator according to a private key handle in the registration record of the first user stored on the server;

and acquiring a private key stored by the authenticator according to the acquired registration record stored by the authenticator.

6. A method of authenticator registration,

receiving a first registration request sent by a server, wherein the first registration request comprises authentication information of a first user on the server and an application identifier of the server;

sending a registration state query message to an authenticator, wherein the registration state query message contains the authentication information;

receiving a registration state query response message sent by the authenticator, wherein the registration state query response message contains a registration state indicating unregistered;

and sending an authenticator registration request to the authenticator, wherein the authenticator registration request comprises the application identifier of the server.

7. The method of claim 6, wherein after the sending of the registration request to the authenticator, the method further comprises:

receiving an authenticator registration response sent by the authenticator, wherein the authenticator registration response comprises a public key and a private key handle generated by the authenticator;

and sending a first registration response to the server according to the authenticator registration response, wherein the first registration response comprises a public key and a private key handle generated by the authenticator.

8. The method according to claim 6 or 7, wherein the authentication information is a public key in a registration record of the first user stored on the server; or

The authentication information is obtained by encrypting a second parameter by the server by using a public key in the registration record of the first user stored on the server; wherein the second parameter comprises at least one of any parameter known to the authenticator.

9. A method of registering an authenticator, characterized in that,

after receiving a registration request triggered by a first user, sending the first registration request to an authentication client, wherein the first registration request comprises authentication information of the first user on a server and an application identifier of the server;

receiving a first registration response sent by the authentication client; wherein the first registration response comprises a public key and a private key handle generated by an authenticator;

and storing the public key and the private key handle generated by the authenticator into the registration record of the first user on the server.

10. The method of claim 9,

the authentication information is a public key in a registration record of the first user stored on the server; or

The server uses a public key in the registration record of the first user stored on the server to encrypt second parameters to obtain information; wherein the second parameter comprises at least one of any parameter known to the authenticator.

11. An authenticator registration apparatus, characterized in that,

a receiving module: the system comprises a register state query message used for receiving a register state query message sent by an authentication client; wherein, the registration state inquiry message contains the authentication information of the first user on the server;

a determination module: the authentication module is used for receiving the registration state inquiry message sent by the first user from the first user, and sending the registration state inquiry message to the receiving module;

a sending module: a registration state query response message for sending a registration state of unregistered to the authentication client;

the receiving module is further configured to receive an authenticator registration request sent by the authentication client, where the authenticator registration request includes an application identifier of the server;

a registration module: the server is used for registering the first user on the server according to the application identifier of the server received by the receiving module.

12. The authenticator registration apparatus of claim 11,

the sending module is further configured to send an authenticator registration response to the authentication client according to the authenticator registration request, where the authenticator registration response includes a public key and a private key handle generated by the authenticator, so that the authentication client sends a first registration response to the server, where the first registration response includes the public key and the private key handle generated by the authenticator.

13. The authenticator registration apparatus according to claim 11 or 12,

the authentication information is a public key in the registration record of the first user stored on the server, and the determining module is specifically configured to:

14. The authenticator registration apparatus according to claim 11 or 12,

the authentication information is information obtained by encrypting a second parameter by using a public key in a registration record of the first user stored in the server by the server, and the determining module is specifically configured to:

decrypting the encrypted information by using a private key stored by the authenticator, and determining that the encrypted information cannot be decrypted by using the private key stored by the authenticator; wherein the second parameter comprises at least one of any parameter known to the authenticator.

15. The authenticator registration apparatus according to any of claims 11 to 14,

the registration state query message also comprises a private key handle in the registration record of the first user, which is stored on the server and corresponds to the authentication information; before the determining module is configured to determine, according to the authentication information and a private key stored in an authenticator, that a registration record of the first user does not exist on the authenticator, the apparatus further includes:

an acquisition module: the server is used for acquiring a registration record stored by an authenticator according to a private key handle in the registration record of the first user stored on the server;

the obtaining module is further configured to obtain a private key stored by the authenticator according to the obtained registration record stored by the authenticator.

16. An authenticator client, characterized in that,

a receiving module: the system comprises a first server and a second server, wherein the first server is used for sending a first registration request to the second server;

a sending module: the authentication module is used for receiving a first registration request sent by the authentication module, and sending a registration state query message to the authenticator according to the first registration request received by the receiving module, wherein the registration state query message comprises the authentication information;

the receiving module is further configured to receive a registration state query response message sent by the authenticator, where the registration state query response message includes a registration state indicating unregistered;

the sending module is further configured to send an authenticator registration request to the authenticator according to the registration status query message received by the receiving module, where the authenticator registration request includes the application identifier of the server.

17. The authenticator client of claim 16, wherein after the sending module is to send an authenticator registration request to the authenticator, the authentication client further comprises:

the receiving module is further configured to receive an authenticator registration response sent by the authenticator, where the authenticator registration response includes a public key and a private key handle generated by the authenticator;

the sending module is further configured to send a first registration response to the server according to the authenticator registration response received by the receiving module, where the first registration response includes a public key and a private key handle generated by the authenticator.

18. The authentication client according to claim 16 or 17, wherein the authentication information is a public key in a registration record of the first user stored on the server; or

19. A registration server of an authenticator, characterized in that,

a sending module: the authentication server is used for sending a first registration request to an authentication client after receiving a registration request triggered by a first user, wherein the first registration request comprises authentication information of the first user on the server and an application identifier of the server;

a receiving module: the first registration response is used for receiving the first registration response sent by the authentication client; wherein the first registration response comprises a public key and a private key handle generated by an authenticator;

a storage module: the public key and private key handle generated by the authenticator are saved in the registration record of the first user on the server.

20. The server according to claim 19,